CyberCNS - Troubleshooting FAQs
- 1 Assessment
- 2 Scans
- 3 To check the log-in verbose by running the agent in debug mode
- 3.1 Vulnerability Scans failure with nmap error in the cybercns.log
- 3.2 Active Directory Scan information missing issue
- 3.3 Exclude printer port or IP if Printer is printing garbage/junk pages once the CyberCNS Scan is in process.
- 3.4 Printer is printing junk pages though it has been successfully excluded from scanning
- 3.5 Agent discovery Scan result shows a response for every IP in the subnet added for scanning
- 4 Scan failures
- 5 Case 1: Dial tcp <ipaddress>:445 failure
- 6 Agent related issues
- 6.1 AV/EDR Alert when scan is in process
- 6.2 Primary executables in the CyberCNSAgentV2 to Whitelist
- 6.3 To uninstall cybercnsagentv2 from command prompt
- 6.4 To uninstall cybercnsagentv2 from Windows GUI
- 6.5 Upgrade/update the agent manually
- 6.6 For Mac to verify whether the binary is running using privileged user
- 6.7 Steps to start and stop the agent in MAC.
- 6.8 To validate why the agent is not starting: MAC
- 6.9 CyberCNS Agent is not reporting back to the portal
- 6.10 To check the type of agent installed for RMM use
- 6.11 Few NMAP commands help to get certain information with reasons
- 6.12 Windows 7 : CyberCNS Agent installation failure issue while using direct Powershell script from CyberCNS.
- 6.13 CyberCNS Agent 2.0.28- AD lockout issue
- 6.14 Comparison for Probe/lightweight agents for Mac vs windows can and cannot be scanned
- 6.15 CyberCNS Agent installation error: The system can not find the path specified.
- 6.16 New Agent installation using RMM
- 6.17 SMB enabled but Scan failing
- 6.18 Vulnerability scan time-out error: Exception calling RStartServiceW. Code: 5, Msg: ERROR_ACCESS_DENIED
- 6.19 CyberCNS log file error: Error in installing VC_redist.x86.exe out: err:-
- 7 Self-hosted deployment
- 7.1 For CyberCNS Updates
- 7.2 CyberCNS V2 SSL certificate path for the customer to update.
- 7.3 CyberCNS Password requirement
- 7.4 Error On Premise Installation: Minion is unable to communicate with salt
- 7.5 Not getting new updates released for CyberCNS.
- 7.6 Update SSL certificate for on premise ( Self Hosted) CyberCNS Instance
- 8 Azure AD integration-related issues
- 9 Patching related issues
- 10 CyberCNS API issues
- 11 Remediation related issue
- 12 Vulnerabilities related issues
- 13 Active Directory Audit
- 14 Assets Information mismatch
- 15 Alerts/Notification rules
- 16 Recommended browser for interface
- 17 Using paexec to Execute Applications Without Installation
- 18 Dashboards FAQs
- 19 Powershell 2.0 status check
Assessment
CyberCNS Assessment Video
https://www.youtube.com/watch?v=_aHm4JwYSkE&list=PLhI4ORTcGqHJJ8TsXkjqHUjJ1CFQCh49N&index=7
To run the Assessment agent in debug mode
For Windows:
Open Command Prompt as an administrator on the system where the assessment agent is running.
Navigate to the location wherein the assessment agent is extracted.
Run the below command.
>>cybercnsagent.exe —enableAssessment
For Mac
Open the terminal as a privileged user on the system where the assessment agent is running.
Navigate to the location wherein the assessment agent is extracted.
Run the below command.
>>cybercnsagent_darwin —enableAssessment
For Linux
Open the terminal as a privileged user on the system where the assessment agent is running.
Navigate to the location wherein the assessment agent is extracted.
Run the below command.
>>cybercnsagent_linux —enableAssessment
For ARM
Open the terminal as a privileged user on the system where the assessment agent is running.
Navigate to the location wherein the assessment agent is extracted.
Run the below command.
>>cybercnsagent_arm —enableAssessment
Please initiate an assessment scan by browsing https://localhost:8088 in the browser.
Once the scan is initiated, the logs are seen in the command prompt or the terminal window.
Scans
To check the log-in verbose by running the agent in debug mode
This will help you find where the scan is failing or the agent not reporting back to the CyberCNS portal issues.
CyberCNS Agent (Probe and Lightweight), logs can be located into:
For Windows - C:\ProgramFiles<x86>\CyberCNSAgentV2\logs\cybercns.log
For Mac: /opt/CyberCNSAgentV2/logs/cybercns.log
For Linux: /opt/CyberCNSAgentV2/logs/cybercns.log
For ARM Agent: /opt/CyberCNSAgentV2/logs/cybercns.log
To Run Debug mode command for Windows:
-run command prompt as as admin
-Navigate to CyberCNS Agent folder
>cd C:\Program Files (x86)\CyberCNSAgentV2
-Stop CyberCNSAgentV2 service
>net stop cybercnsagentv2
> net stop cybercnsagentmonitor
-Run below command to run scan in debug mode
>cybercnsagentv2.exe -m Probe -d
Please initiate a relevant scan once above command is running successfully.
To Run Debug mode command for Linux OR ARM agent:
-->open terminal with privileged user
sudo su
systemctl stop cybercnsagentv2
systemctl stop cybercnsagentmonitor
cd /opt/CyberCNSAgentV2
./cybercnsagentv2_linux -t Probe -d
For ARM please run below command:
./cybercnsagentv2_arm -t Probe -d
To Run Debug mode command for Mac:
-->open terminal with privileged user
sudo su
launchctl stop cybercnsagentv2
launchctl stop cybercnsagentmonitor
cd /opt/CyberCNSAgentV2
./cybercnsagentv2_darwin -t Probe -d
Please initiate a relevant scan once above command has run successfully.
Vulnerability Scans failure with nmap error in the cybercns.log
Vulnerability Scans are failing with nmap error shown in cybercns.log. Error as shown below:
Please check if winpcap or npcap are running in the agent system(wherein CyberCNS agent is installed)
If it is installed, please request the customer to remove it. Post uninstalling these (winpcap/npcap) a system may require a reboot. Inform customer about it.
Please follow below steps for removing winpcap or npcap:
Step 1: Stop the agent services
>> net stop cybercnsagentv2
>> net stop cybercnsagentmonitor
Step 2: Uninstall the Npcap and other pcap drivers from the agent machine
>> This can be achived from GUI.
Step 3: Reboot the machine. (Because pcap drivers are run in the kernel, the reboot is required for clean uninstallation)
Step 4: Install the latest Npcap on the machine and initiate a scan to resolve the reported issue.
Active Directory Scan information missing issue
Active Directory section missing information post AD Scan
Active Directory information not captured during AD Scan
Open Powershell as an admin on Active Directory system and run below command:
>>(Get-WmiObject -Class Win32_OperatingSystem).ProductType
--Output: 2 (as it is a secondary DC) OR
--Output: 1 ( in case it is a primary DC)
Open command prompt as an Admin
> cybercnsagent.exe -m Adscan (This will initiate AD scan manually to verify further)
Exclude printer port or IP if Printer is printing garbage/junk pages once the CyberCNS Scan is in process.
Though CyberCNS is taking care of the common printers port exclusion, there are additional models to be taken care. There may be an issue of printing junk while scan is in process.
Please collect information such as Printer model and port number used for the printer.
Verify if the printer is printing junk or not by using below command:
a. Navigate to cybercns agent folder on the agent system using.
b. cd C:\Program Files (x86)\CyberCNSAgentV2\nmap
nmap.exe -sV -p80 -Pn --script vulners.nse <ip address>Guide customer to exclude the IP address OR ports temporarily to avoid printer printing junk as below:
a. In the CyberCNS portal, navigate to Probe/Agent>Discovery Settings>IP Ranges
b. Define an IP Address/IP range and select Exclude from Scanning.
Printer is printing junk pages though it has been successfully excluded from scanning
It is shared from print server services on their Domain Controller.
As pointed out, there is a possibility that the SMB printing server is available in the environment and the port 139 is the one being used for SMB printing via SMB printing servers. in this case please discard port 139 from your global port discarded settings. Ideally, this discarded port should solve your printer issue.
We have removed SMB for a printer for scanning that basically removes SMB printers scanning. We have taken all the known vendors and we have removed them from the scanning list.
c. Navigate to Settings>Port Policy Settings and input port number to exclude from scanning.
Agent discovery Scan result shows a response for every IP in the subnet added for scanning
Please run below command on the agent (Probe Agent) system using Command Prompt as an admin and share an output with support.
>>nmap -oX - -T4 -Pn -sT --top-ports 65535 --reason <IP Address>
--IP address in the above command will be a CIDR range to be scanned.
Scan failures
Case 1: Dial tcp <ipaddress>:445 failure
For this issue run the below command on the reported host and initiate a scan. These commands will help set SMB as True and help successfully scan an asset.
-> Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force
-> Set-NetFirewallRule -DisplayName "File And Printer Sharing (SMB-In)" -Enabled true -Profile Any
-> Set-NetFirewallRule -DisplayName "File And Printer Sharing (NB-Session-In)" -Enabled true -Profile Any
Case 2: No credential matched
For Active Directory Credentials, ensure that the Domain is added as the fully qualified domain name(FQDN) has been added, Active Directory DC Name to have the IP address( In case of DNS resolution failure, Asset Name will not work). Please refer to the screenshot below
For the Asset Inventory scan credential match issue, please follow the steps below to verify.
This tool will verify the SMB communication between probe agent and the remote asset. If this tool succeeds the communication from the agent machine then the probe agent will scan the remote asset for the vulnerabilities successfully, giving the Risk Score for that asset.
Download this file and copy it to the CyberCNS installation folder under C:\ProgramFiles<X86>\CyberCNSAgentV2
Please use the below link to download a file for SMB validation and copy this file from Windows to Windows. https://betadev.mycybercns.com/agents/validateSMB.exe
Please use the below link for for SMB validation and to copy this file from Linux to Windows machine. https://betadev.mycybercns.com/agents/validateSMB_linux
Navigate to the location of the file and run the below command under Powershell as an admin
>>./validateSMB.exe -hostname <IPAddress> -username <Username> -password <Password> -domain <domainname>
Note: Please add the password in double quotes.
Eg: >>./validateSMB.exe -hostname 10.10.10.22 -username cybercns -password “asdfghj” -domain cybercns.
To enable SMB, use the below commands
--> Open powershell as administrator.
Run the below commands
--> Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force
--> Set-NetFirewallRule -DisplayName "File And Printer Sharing (SMB-In)" -Enabled true -Profile Any
--> Set-NetFirewallRule -DisplayName "File And Printer Sharing (NB-Session-In)" -Enabled true -Profile Any
Once SMB is enabled successfully, please scan one asset that failed due to SMB using probe agent and validate the scan result.
Case 3: OS type not detected
If there are no open ports detected by the nmap port scan from the CyberCNS agent; it will only obtain a nmap ping, which is the reason why it shows OS type not detected. Based on the open ports found, the detection of the OS type is done. since it did not return any value the error “OS Type Not detected” will be shown. To confirm, run the below commands from the agent machine.
Open the command prompt as an administrator
Navigate to cybercnsagentv2 folder
-> cd C:\Program Files (x86)\CyberCNSAgentV2\nmap
Run the nmap command
>>nmap.exe -sT --top-ports 3300 <IP Address>
If the output of this command returns as no ports open, then the error given above is correct.
If the output of this command returns ports, means that ports are found open. In this case please provide a screenshot to Support to look into further.
PII Scan for Mac scan status update:
Please enable cybercnsagentv2_darwin under Full disk Access to complete the PII Scan for Mac to get the scan status update. (cybercnsagentv2_darwin will be available under agent installation folder - /opt/CyberCNSAgentV2/ )
Agent related issues
AV/EDR Alert when scan is in process
AV/EDR alerting while CyberCNS Scan in process
For remote assets getting scanned via Probe Agent please whitelist the below executable path of the dissolvable agent into a remote asset "C:\windows\CyberCNS_DissolvableAgent".
Or creating an IOA Exclusion so that matches all the different disks and executables.
Primary executables in the CyberCNSAgentV2 to Whitelist
Below are the primary executables in the CyberCNSAgentV2 (installation folder) to be whitelisted on the CyberCNS agent system.
cybercnsagent.exe
cyberutils.exe
nmap.exe
osqueryi.exe
cybercnsagentmonitor.exe
For remote assets getting scanned via Probe Agent:
Whitelist the below executable path of the dissolvable agent into a remote asset "C:\windows\CyberCNS_DissolvableAgent"
To whitelist the folder on the remote asset, use the path of the folder i.e “C:\Windows\CyberCNSAgent”
To uninstall cybercnsagentv2 from command prompt
For Windows:
-run command prompt as as admin
-Navigate to CyberCNS Agent folder
>cd C:\Program Files (x86)\CyberCNSAgentV2
-Stop CyberCNSAgentV2 service
>net stop cybercnsagentv2
-remove/uninstall CyberCNSAgentV2
>cybercnsagentv2.exe -r
For Linux
For Mac
For ARM
To uninstall cybercnsagentv2 from Windows GUI
For Windows:
Stop CyberCNSAgentV2 service
Navigate to cybercnsgentv2 folder
>cd C:\Program Files (x86)\CyberCNSAgentV2
click on uninstall.bat file and follow instructions on screen
Upgrade/update the agent manually
For Windows:
Please use the below commands to upgrade/update the agent manually:
-Open command prompt as an admin
-Navigate to CyberCNSAgent V2 folder (C:\ProgramFilesX86\CyberCNSAgentV2)
>net stop CyberCNSAgentV2 ( stop CyberCNSAgentV2 service)
>cybercnsagentv2.exe -u (to update agent)
>cybercnsagentv2.exe -v (to check the version of the agent)
> net start CyberCNSAgentV2 ( start CyberCNSAgentV2 service)
For Linux
For Mac
For ARM
For Mac to verify whether the binary is running using privileged user
MAC internal firewall is blocking the binary from running in case Mac agent is not registering
please run the below command in the terminal window as admin user to verify whether the binary is running:
>> sudo su
>>ps -ef | grep cybercnsagentv2_darwin
Steps to start and stop the agent in MAC.
Below are the steps to start and stop the agent in MAC.
To Stop CyberCNSAgent
sudo launchctl unload -w /Library/LaunchDaemons/com.CyberCNSAgentV2.AgentService.plist
To Start CyberCNSAgent
sudo launchctl load -w /Library/LaunchDaemons/com.CyberCNSAgentV2.AgentService.plist
To validate why the agent is not starting: MAC
For MAC: Please run the below command to validate why the agent is not starting and share the output with support
>>sudo su
>>cd /opt/CyberCNSAgentV2
>>./cybercnsagentv2_darwin -t Lightweight ( Agent in Debug Mode)
CyberCNS Agent is not reporting back to the portal
CyberCNS Agent is not reporting back to a portal ( Issue from 30-09-2021 patch, Fix released on 01-10-2021)
a. Uninstall an agent and reinstall again as the fix is released for builds not updated to 1-10-2021 OR
b. Please run the below commands on the Linux agent system and verify.
cd /opt/CyberCNSAgentV2
rm AssetScannedTime.txt
systemctl restart cybercnsagentv2
To check the type of agent installed for RMM use
For RMM use, the customer wants to know the type of agent installed.
Please use the below command to verify whether the CyberCNS agent running as a Probe or LightWeight Agent
WMIC path win32_process where caption="cybercnsagentv2.exe" get Caption,Processid,Commandline
Results will be as below for LightWeight and Probe
For LightWeight Agent
Caption CommandLine ProcessId
cybercnsagentv2.exe "C:\Program Files (x86)\CyberCNSAgentV2\cybercnsagentv2.exe" -t LightWeight 1392
For Probe Agent
Caption CommandLine ProcessId
cybercnsagentv2.exe "C:\Program Files (x86)\CyberCNSAgentV2\cybercnsagentv2.exe" -t Probe 1876
Few NMAP commands help to get certain information with reasons
NMAP commands help to get certain information with reasons
External Deep Scan information verification
>>nmap -oX - -T4 -Pn -sT --top-ports 65535 -sV --script ssl-cert,ssl-enum-ciphers,ssl-dh-params,ssl-heartbleed --script-timeout 120s --osscan-limit --max-rtt-timeout 100ms --max-parallelism 100 --min-hostgroup 100 --host-timeout 20m --reason <IP Address>
Asset discovery information
>>nmap.exe -sn 192.168.x.x/24 --reason
Asset ports status information
>>nmap -oX - -T4 -Pn -sT --top-ports 65535 --reason <IP Address>
External Scan for top 1000 ports:
>>nmap -sT --top-ports 1000 <IP Address>
In case the top 1000 ports are not available, checking whether IP is pinging or not
if any of the above is successful, scanning other 65535 ports except the top 1000 using the internal port scanner
>>nmap -sP <IP Address>
Based on ports we will use NSE Scripts
>>nmap -sV -p <Ports> --script <NSE Scripts for the given ports> <IP Address>
Windows 7 : CyberCNS Agent installation failure issue while using direct Powershell script from CyberCNS.
Windows 7 64 bit system facing CyberCNS Agent installation failure issue while using direct Powershell script from CyberCNS.
For windows 7, power shell script to directly download CyberCNS agent has challenges. So please manually download the agent into the system and just run installation part of the command using powershell as an admin.
./cybercnsagent.exe -c 063fc29f-5ed8-428d-9f17-f28fb89ea545 -a 063fc29f-5ed8-428d-9f17-f28fb89ea545 -s 9beeb131-3241-4d50-bdb3-67ac43a80028 -b learnv2.mycybercns.com -i LightWeight
Note: Above command is for reference only. Please use command from your CyberCNS portal.
CyberCNS Agent 2.0.28- AD lockout issue
CyberCNS Agent 2.0.28- AD lockout issue addressed
This was resolved with an agent 2.0.28. We have stopped the invalid logins and we have implemented a scheme to not retry usernames and passwords that have been tried on any of the assets. So if a credential fails it is not tried till the credential has been modified. This will remove any issues with account lockouts.
Comparison for Probe/lightweight agents for Mac vs windows can and cannot be scanned
A comparison to see what can and can’t be scanned with the probe/lightweight agents for Mac vs Windows
Using a probe agent you can query endpoints, servers, and network devices(SNMP Enabled).
Using the LightWeight agent, you can scan endpoints or servers where the agent is installed.
Operating Systems supported scans are Windows, Mac, and Linux.
For Mac and Linux, the minimum supported Nmap version is greater than 7.92 in order to obtain all of the information.
The lightweight agent does not scan for network vulnerabilities. It will search for information about the system on which it is installed. (This is useful in work-from-home scenarios where the user is not on the corporate/office network).
CyberCNS Agent installation error: The system can not find the path specified.
CyberCNS Agent while installation gives below error: “The system can not find the path specified.”
CyberCNS Agent to be installed with Powershell as an administrator OR Command Prompt as an administrator.
New Agent installation using RMM
New Agent installation using RMM will need a download URL as the manual installation Powershell script in CyberCNS portal expires in 15 mins.
Here is a GET Url to generate the download link that you can use to download the agent
https://configuration.mycybercns.com/api/v3/configuration/agentlink?ostype=windows
>>supported ostype keys
For Windows -> windows
For Linux -> linux
For MAC -> darwin
For ARM / Raspberry Pi. -> arm
The response will be a download url. This way it is not hard coded but it can be used in automation.
SMB enabled but Scan failing
Though SMB is enabled in Windows 11, the scans are failing:
Follow the below steps for enabling SMB for Windows:
Additionally, add below registry key post enabling SMB for Windows 11 to get information using SMB:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
Vulnerability scan time-out error: Exception calling RStartServiceW. Code: 5, Msg: ERROR_ACCESS_DENIED
Vulnerability Scans timed out with an error: "Exception calling RStartServiceW. Code: 5, Msg: ERROR_ACCESS_DENIED"
The above error means that in the remote machine, the probe agent is not able to create dissolvable services. We have to verify if any EDR blocking or mentioned user has required permissions to create a service.
CyberCNS log file error: Error in installing VC_redist.x86.exe out: err:-
CyberCNS log file shows error as Log [Error in installing VC_redist.x86.exe out: err:- ]
This file is required to run the nmap scan, hope there is a block in installing the exe. Could you please install the "VC_redist.x86.exe" manually from the cybercns agent folder and verify by initiating the scan once.
the file is located in "C:\Program Files (x86)\CyberCNSAgentV2\nmap".
Self-hosted deployment
For CyberCNS Updates
CyberCNS V2 SSL certificate path for the customer to update.
CyberCNS V2 SSL certificate path for the customer to update on his own.
Location of File>> /etc/nginx/conf.d/vuln.conf
ssl_certificate /etc/letsencrypt/live/vuln.dbtsupport.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vuln.dbtsupport.com/privkey.pem;
CyberCNS Password requirement
Error On Premise Installation: Minion is unable to communicate with salt
Minion is unable to successfully communicate with Salt ----error for on-premise installations:
-Make sure to confirm with tech team on the minion registration before the below commands on the on-premise instance.
rm /etc/salt/pki/minion/*
systemctl restart salt-minion
Not getting new updates released for CyberCNS.
This will happen as a result of the salt-minion service is not connecting to update the instance.
to check the salt-minion status please run below command
systemctl status salt-minion
Please run the below command to restart salt-minion service
systemctl restart salt-minion
Update SSL certificate for on premise ( Self Hosted) CyberCNS Instance
How to update certificate for on premise ( Self Hosted) CyberCNS Instance
The customer can find the configuration file below location:
/etc/nginx/conf.d/<domainname>.conf
Customer can keep their own certificates here.
Azure AD integration-related issues
Azure CSP account re-authentication
Azure CSP account authentication error- Use the below to re-authenticate the CSP account.
Please follow the below steps to re-authenticate the CSP account,
In the Azure portal go to an enterprise app, and search CyberCNS application and click on that.
Click the Properties on the left menu, then click Delete the CyberCNS application using the delete link on the right-hand side top menu.
In the CyberCNS Portal, Please delete your AzureAD credentials and re-authenticate once again.
If CSP account, you need to provide admin consent for all the tenants. Please refer to the below screenshot.
Then you can add the company mapping.
Please note while doing this CSP authentication and authorization kindly use the incognito browser window.
Azure AD errors out with user consent missing
Please follow the below steps to configure user consent settings through the Azure portal:
Login to Microsoft partner center -> go to the Customer List -> Select the customer whose data is not loading in CyberCNS.
Click on Azure Active Directory for the particular customer which will redirect to the Microsoft Azure portal.
Select Azure Active Directory > Enterprise applications > Consent and permissions > User consent settings.
Under User consent for applications, select which consent setting you want to configure for all users(Below is the snapshot attached for your reference).
Select Save to save your settings.
Please wait for 10 to 15 minutes after the consent and sometimes it may take more than 2 hours. Microsoft takes time to approve the application. After the approval the data will be populated in the CyberCNS portal.
Patching related issues
Match the CyberCNS data under Asset Details->Installed Patches section.
Use below command on windows system for which Installed KB to be verified, to get the installed KB details. This will help you match the CyberCNS data under Asset Details>Installed Patches section.
command: wmic qfe get HotfixID
Chocolatey community repo via RMM
Partner uses chocolatey community repo via RMM, and it looks like maybe after trying to update some programs with Chocolatey through cybercns, it changed the local computer version to try to use a cybercns repo. Is there a way we should switch this back in our script in our RMM so we don’t get these auth errors? Below is what we’re seeing:
Error: Invalid credentials specified. Error retrieving packages from source 'https://chocolateyrepo.mycybercns.com/chocolatey':
The remote server returned an error: (401) Unauthorized.
ANS: Before upgrading the chocolatey please run the below command in powershell as an administrator and try to upgrade.
>>choco source remove -n=cybercns
LOG file location: Chocolatey logs can be located in "C:\Program Files (x86)\CyberCNSAgentV2\CyberPatch\logs."
If you have installed Chocolatey manually, please find the log in "C:\ProgramData\Chocolatey\logs."
Patching: When FIPS Mode is enabled(Chocolatey FIPS Error)
Patching: When FIPS Mode is enabled, Chocolatey requires useFipsCompliantChecksums feature also be enabled. (Chocolatey FIPS Error)
The patching is failing with error as above which means, FIPS compliance is enabled in the Lightweight agent machine. Log into the machine where the patching is failing due to FIPS compliance and run the below command in PowerShell.
Command: choco feature enable --name="'useFipsCompliantChecksums'"
Once successfully ran this command, please initiate patching.
CyberCNS API issues
CyberCNS API uses which type of authentication
CyberCNS API Documentation
CyberCNS have both Oauth2 and API token. In case postman collection can help, we can share it on your confirmation.
Remediation related issue
Log4j
Thank you for using CyberCNS. As we informed instances were patched immediately.
Now to enable remediation we have now added detection of the log4j vulnerability. Again the focus is on making everything actionable.
The new plugin scans machines to find all Java processes and searches classpath to find if a version of log4j is vulnerable. If yes, it checks if mitigation has been applied. If not it marksthe asset as vulnerable and this has been made available in the first dashboard
OSQUERY to pull and verify related data:
On the agent system, Please open Command Prompt as an administrator
Navigate to CyberCNS Agent folder
Step 1: cd C:\Program Files (x86)\CyberCNSAgentV2
Step 2: osqueryi.exe
Run the desired or requested query and please share the screenshot of the output.
Eg. Step 3: SELECT vendor, version, date, revision, extra, address, size, volume_size,firmware_type FROM platform_info;
Vulnerabilities related issues
JNDI lookup status is tested in relation to CVE-2021-44228
Can I get some details on how the JNDI lookup status is tested in relation to CVE-2021-44228? Are you actually attempting the exploit using the JNDI:LDAP or DNS string and waiting to see if there’s a reply or is the scanner checking a config file for the JNDI status? Also, are the external scanners also trying the exploit to see if public facing hosts are vulnerable?
CyberCNS scanner will check if any process using the java log4j jar and also will check all the parameters configured for marking its as vulnerable or not vulnerable for CVE-2021-44228.
We are fetching Log4J Vulnerabilities based on the java process running in the system and validating whether that process is using the Log4J Component or not. In case if it is using Log4j components we have verified what all global environmental variables set and what all JVM options provided for that process. After considering all this if any process matches the vulnerability criteria we are showing it as vulnerable.
Once authenticated vulnerability scan is completed successfully you can able to see the results in dashboards.
NOTE:
--In CyberCNS, we are Identifying log4j as vulnerable anything below/less than the version 2.17.0
Whereas the Ubiquiti software updated its log4j and is still version 2.16.0. So still, this is vulnerable and is popped in your dashboard.
Why do we refer to version 2.16.0 as vulnerable?
Please refer to the below link for
https://snyk.io/blog/log4j-2-16-vulnerability-cve-2021-45105-discovered/
--The external scan will scan for log4j against open port and if that port is found vulnerable for log4j, it will trigger a mail on the configured email ID.( Yes, only an External scan will trigger an email notification in case log4j vulnerability is found)
In case if you are not receiving any mail it means that there is no log4j vulnerability that is not triggering for the payload that is being used. To verify that CyberCNS is working you can download the following application and run it on any machine.
GitHub - christophetd/log4shell-vulnerable-app: Spring Boot web application vulnerable to Log4Shell (CVE-2021-44228).
Once installed you can trigger an external scan or you can do a probe/LW-based scan and you should see the dashboard and the mail from Canary Tokens.
There are three modes of Log4j detection. The one on the dashboard is a deep scan to find Log4j instances in any of the machines. However, in the case of VMware, there is no access to the vcenter filesystem to find if the system is vulnerable.
So we have done a version-based detection of the Log4j vulnerability and that shows in the internal report of Vulnerabilities.
Active Directory Audit
Active Directory Audit- How to use this feature?
A domain controller should have a lightweight agent or the probe agent to get this information from the event viewer of domain controller.
Assets Information mismatch
Bitlocker Encryption Status showing 'Unknown' in UI.
'Unknown' implies to 'PROTECTION UNKNOWN', please refer below link.
https://learn.microsoft.com/en-us/windows/win32/secprov/win32-encryptablevolume#properties
CyberCNS Platform Password Cryptography related queries
How does CyberCNS store credentials within the platform?
Master and Asset Credentials of users are stored as a Oneway hash using PBKDF2 algorithm with salts and 27,500 hash iterations.
What is the Key Type Used (One-way Hash, Symmetric encryption etc)
Symmetric encryption with dynamic keys per company+partner combination
Algorithm Used (Bcrpy, PBKDF2, scrypt, Argon2 etc)
Algorithm is fernet with SHA 256
Key Length (Please include if the credentials are stored with a salt and pepper)
Credentials are stored with a salt but no pepper
Alerts/Notification rules
AD audit scans / Alerts not running
To perform an AD audit on a domain controller, it is important to first enable audit events.
Once enabled, The CyberCNS agent will read the events every 15 minutes and push them to your CyberCNS domain.
To verify which audit events are currently enabled, run the following command:
>> auditpol /get /category:*
This command will provide a list of all the audit categories and their status.
To Enable the audit events use the command given below
Create a “ .bat ” file and add below lines based on user audit requirements or user can run individual commands to enable audit events. (Ex: AUDITPOL /SET /SUBCATEGORY:"Security State Change" /SUCCESS:ENABLE )@echo OFF
Rem Enable Security System Extension
echo Enabling "Security System Extension"
AUDITPOL /SET /SUBCATEGORY:"Security System Extension" /SUCCESS:ENABLE
echo Enabling "Security State Change"
AUDITPOL /SET /SUBCATEGORY:"Security State Change" /SUCCESS:ENABLE
AUDITPOL /SET /SUBCATEGORY:"Logon" /SUCCESS:ENABLE /FAILURE:ENABLE
AUDITPOL /SET /SUBCATEGORY:"Logoff" /SUCCESS:ENABLE
AUDITPOL /SET /SUBCATEGORY:"Logoff" /SUCCESS:ENABLE
AUDITPOL /SET /SUBCATEGORY:"Other Logon/Logoff Events" /SUCCESS:ENABLE
AUDITPOL /SET /SUBCATEGORY:"Network Policy Server" /SUCCESS:ENABLE /FAILURE:ENABLE
AUDITPOL /SET /SUBCATEGORY:"Application Generated" /SUCCESS:ENABLE /FAILURE:ENABLE
AUDITPOL /SET /SUBCATEGORY:"Other Object Access Events" /SUCCESS:ENABLE
AUDITPOL /SET /SUBCATEGORY:"Process Creation" /SUCCESS:ENABLE
AUDITPOL /SET /SUBCATEGORY:"Process Termination" /SUCCESS:ENABLE
AUDITPOL /SET /SUBCATEGORY:"Authentication Policy Change" /SUCCESS:ENABLE
AUDITPOL /SET /SUBCATEGORY:"Authorization Policy Change" /SUCCESS:ENABLE
AUDITPOL /SET /SUBCATEGORY:"User Account Management" /SUCCESS:ENABLE /FAILURE:ENABLE
AUDITPOL /SET /SUBCATEGORY:"Computer Account Management" /SUCCESS:ENABLE
AUDITPOL /SET /SUBCATEGORY:"Security Group Management" /SUCCESS:ENABLE
AUDITPOL /SET /SUBCATEGORY:"Distribution Group Management" /SUCCESS:ENABLE
AUDITPOL /SET /SUBCATEGORY:"Directory Service Changes" /SUCCESS:ENABLE
AUDITPOL /SET /SUBCATEGORY:"Directory Service Access" /SUCCESS:ENABLE
AUDITPOL /SET /SUBCATEGORY:"Other Account Logon Events" /SUCCESS:ENABLE /FAILURE:ENABLE
AUDITPOL /SET /SUBCATEGORY:"Kerberos Authentication Service" /SUCCESS:ENABLE /FAILURE:ENABLE
Recommended browser for interface
The interface seems sluggish. Is there a recommended browser for the best results?
Ans: Google Chrome is the best browser for the best results.
Using paexec to Execute Applications Without Installation
The pypsexec library is a Python implementation of the psexec tool, which allows for remote execution of commands on Windows systems. It utilizes the paexec binary package for executing processes remotely.
The general workflow described is indeed a common approach used by tools like psexec and pypsexec for remote service execution. Here's a summary of the steps involved:
Establish an SMB connection to the remote host.
Copy the paexec binary to the ADMIN$ share of the remote host. The ADMIN$ share is a built-in administrative share that provides administrative access to the root of each drive on a Windows machine.
Create a service on the remote host using the paexec binary. This service is responsible for executing the desired process or command.
Start the service to initiate the execution of the remote process.
After the agent execution process completes, stop and remove the paexec service from the remote host.
Remove the paexec binary from the ADMIN$ share of the remote host.
The agent will remove the paexec after the scan.
Dashboards FAQs
Q: Why are Peaks and Troughs in historical trending graphs seen? How do we verify it?
Ans: Because there might be no data within the time selected (3 hours) to be seen in the trending graphs.
Graph is generated in the dashboard tool from data generated from the scan.
It could be due to 3 reasons:
If the scan scheduler is set to run every 24 hours, viewing graphs for intervals of 3 hours or 12 hours may result in no data being available. If there are scans and you have taken a graph for 24 hours (or 1 day), then it shows an unbroken continuous line graph.
The periodic scan scheduler might have been removed, leading to the absence of scans and, consequently, no data available to display in the graph.
Assets might be offline. So scans might not be detected.
To see a proper graph in a continuous way, kindly select a period of the last 90 days or the last 1 year in the dashboards as shown below:
As shown in the graphs from one of our portals, there is a clear unbroken line of data for both the last 90 days and the last 1 year.
For past 90 days:
For past 1 year:
The time period of the dashboards can be adjusted by clicking on the Time Frame Calendar icon and selecting your desired timeframe period.
Powershell 2.0 status check
We are detecting PowerShell 2.0 enable or disable by running the below shared commands.Can you please verify the PowerShell 2.0 status on one of the reported server machines by running the following PowerShell command:
Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 | foreach { $_.State}
To disable it, please run the following PowerShell command with Administrator privileges:
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2